Research On Code Obfuscation Oriented To Control Flow

The rapid development of the internet not only promotes the vigorous rise of the computer software industry,but also provides a new channel for criminals to collect users' personal information and steal trade secrets and state secrets.Through the reverse analysis of computer software,the attacker cracked the program execution logic,achieved a series of malicious purposes such as software piracy and vulnerability mining,resulting in huge economic losses and security risks.As an antagonistic technology for software reverse,code obfuscation can effectively prevent reverse analysts from understanding code logic and increase reverse cost through the automatic equivalent transformation of code structure.However,with the rapid development of reverse technology in recent years,the effectiveness of traditional code obfuscation technology is weakening,which brings about an urgent problem to be solved in the academic community,that is,how to build a more confrontational code obfuscation algorithm.Control flow is an abstract description of program execution process.Protecting control flow can effectively prevent reverse analysts from cracking program execution path.From the perspective of control flow,aiming at the vulnerability of current code obfuscation technology,this thesis proposes intra-procedure control flow obfuscation algorithm and inter-procedure control flow obfuscation algorithm.On this basis,a compiler level automatic code obfuscation system based on LLVM and the corresponding application strategy of obfuscation algorithm are constructed.The main research work and innovations of this thesis are as follows:1.Aiming at the intra-procedure branch jump structure,a control flow obfuscation model based on callback function is designed and implemented: the callback function is used to construct an equivalent branch model,so that the inherent operation mechanism of the system callback process can replace the traditional branch control mode,and the intra-procedure jump of the basic block is switched to the inter-procedure function call to resist the reverse technology.In order to further increase the obfuscation intensity,a function call fusion algorithm is designed and implemented to construct more complex function call process.The experiment results show that the obfuscation system effectively changes the static structure of the program,and owns better concealment than the traditional obfuscation algorithm.2.Aiming at the inter-procedure function call mode,the execution trace obfuscation model among threads is designed and implemented: the communication process among threads is used to replace the function call process,so that the program execution trajectory can jump repeatedly among multiple threads,which is against the dynamic instruction tracking technology.On this basis,the temporary address information generated during thread interaction is used to cascade encrypt the objective function to enhance the protection effect of the algorithm on the program,and the static program analysis technology is used to optimize the load balance of the obfuscation algorithm.Experiment results show that the obfuscation system can effectively interfere with advanced dynamic analysis tools.3.For the existing obfuscation algorithms,the overhead situation is systematically evaluated,the possible execution overhead caused by the algorithm is concretely studied,and the obfuscation overhead avoidance scheme is specifically given by using static program analysis technology to optimize the obfuscation algorithm.The experiment results show that the overhead caused by the obfuscation algorithm is linearly related to the program complexity,which attains preferable practical value.4.Aiming at the existing obfuscation algorithms,an application strategy of obfuscation algorithm based on function importance evaluation is proposed: taking the vertex complexity of function call graph,function instruction information entropy,cyclomatic complexity and function call complexity as evaluation indexes,a function importance evaluation model is constructed.On this basis,the obfuscation algorithm is applied strategically.The experiment results show that the strategic obfuscation has better protection effect than the traditional obfuscation mode,and is of positive significance to the software industry.